California Legislature Seeks to Restrict Data Use and Ramp Up Retailer Liability for Data Breaches

A bill has been introduced in the California legislature that would dramatically increase retailers’ liability for data breaches. Dubbed the “Consumer Data Breach Protection Act,” Assembly Bill 1710 would enact sweeping changes to California’s data breach notification laws, setting short deadlines by which consumers would need to be notified of breaches and increasing the penalties associated with such breaches. AB 1710’s new provisions would apply to all businesses that sell goods or services to California residents and accept credit or debit cards, although the law retains exemptions for certain businesses that are subject to other privacy regulations (such as financial institutions).

The California Retailers Association has already come out in opposition to the bill, and in years past, has successfully fought similar efforts to expand the state’s data breach notification laws. However, given the number of recent high profile data incidents, lawmakers are in a stronger position this year to amend California’s data protection laws. Indeed, as introduced, AB 1710 made only minor nonsubstantive changes to the data privacy laws, but in the wake of various well-publicized data breaches, the bill’s authors substantially amended the bill to increase the “teeth” in the law.

The following briefly summarizes some of the bill’s key proposed changes:

Expands Restrictions on Data Use and Retention. AB 1710 limits retention of “payment-related data” to the amount of time required for “business, legal, or regulatory purposes.” Retention of payment-related data would be prohibited if it is unnecessary for those purposes. The bill also requires businesses to create “payment data retention and disposal” policies specifying the amount of time such data will be retained. The bill prohibits the retention of certain types of data, such as card verification codes, PIN numbers, social security and driver’s license numbers. The bill also forbids the sale of an individual’s social security number. The term “payment-related data” is defined to include all items that fall within the current statutory definition of “personal information,” such as a consumer’s name, social security number, driver’s license number, account numbers, and user name and passwords.

Expands Liability for Data Breaches. AB 1710 would make businesses who maintain data liable to the “owner or licensee” of that data for the costs of providing notice of data breaches, as well as the costs of card replacement as a result of the breach. The statute contains no true “safe harbor” provision excusing businesses from this liability even when their security procedures follow industry best practices, but the bill provides that businesses “may be excused” from liability if they can demonstrate compliance with statutory requirements. The bill also expands liability for violations of California’s data breach notification law by authorizing public prosecutors to seek civil penalties of $500 per violation, or $3,000 per violation in the case of intentional or reckless violations. This is in addition to existing provisions permitting consumers to seek damages, and for certain types of violations, civil penalties. Public prosecutors would also be authorized to seek civil penalties of $500 per violation when a party violates restrictions on the use of social security numbers.

Expands and Speeds Up Notification Requirements. AB 1710 expands notification requirements by requiring that consumers be notified when unauthorized persons acquire even encrypted personal information, or when noncomputerized data is involved (currently, only data breaches involving unencrypted computerized data require notification). Additionally, the entity that maintains the data would be required to notify affected consumers within 15 days of the breach, by sending them an email, posting a notice on the internet and notifying “major statewide media.” This notification could only be delayed at the request of law enforcement.

Requires Identity Theft and Mitigation Services. If the business providing the notification was responsible for the breach, AB 1710 requires that consumers whose personal information may have been exposed be provided free identify theft prevention and mitigation services (such as credit monitoring) for at least 24 months.

Mandates Encryption. Under the bill, primary account numbers could only be retained if maintained in a form that would be “unreadable and unusable” to unauthorized persons. Payment-related data could only be transmitted over public networks if it is encrypted or “otherwise rendered indecipherable.”

Expands Restrictions on Data Access. Businesses would be required to limit access to payment-related data to only those individuals whose positions “require” such access.

Crowell & Moring’s Regulatory Forecast 2018

Crowell & Moring's Regulatory Forecast explores how technology is driving the future of business across industries – and how Washington, as well as state and global regulators, is forging the appropriate balance between fostering innovation and protecting consumers.

About Retail & Consumer Products Law Observer

Crowell & Moring is a full-service, international law firm that represents a broad spectrum of clients in the retail and consumer product industries, including wholesale and specialty retailers, department stores, and big-box retailers, apparel, cosmetics, food and beverage, consumer electronics and other consumer products companies, as well as investors in these sectors. Our clients call upon us, time and again, to help them navigate the complex legal and regulatory regimes, both domestically and internationally, applicable to the design and promotion of products and services, and to assist them in taking innovative and proactive measures to protect their business from the array of challenges before them. Our Retail & Consumer Products Law Observer blog features legal insight and thought-leadership affecting the industry.